A large number of apps for iPhones and iPads are susceptible to hacks that cause them to surreptitiously send and receive data to and from malicious servers instead of the legitimate ones they were designed to connect to, security researchers said on Tuesday.
Researchers from Israel-based Skycure stumbled on the problem when they observed their own app redirecting to a wrong address. The team soon discovered that they could make many other apps exhibit the same behavior. As a result, apps that display news, stock quotes, social media content, or even some online banking details can be manipulated to display fraudulent information and intercept data sent by the end user. After an app has been tampered with once, it will continue to connect to the hacker-controlled server for an extended period of time, with no outward indication it is doing so. The weakness, dubbed HTTP request hijacking (HRH), is estimated to affect at least 10,000 titles in Apple's App Store.
"Since Apple does not approve automatic download and scanning of iOS applications, we decided to do manual tests of a bunch of high-profile applications," Yair Amit, CTO and co-founder of Skycure, wrote in an e-mail. "Due to the fact [that] almost half of them were susceptible to HRH, we estimate that the number of vulnerable apps is very large, probably tens of thousands."